HGKeeper

Merged TALOS-CAN-0134
release-2.x.y
2016-06-12, Gary Kramlich

406382495c37

Parents 2ba646d2f879 cae95839afeb
Children 89b326ceca25

Merged TALOS-CAN-0134

2 files changed, 12 insertions(+), 2 deletions(-)

+2 -0

ChangeLog

+10 -2

libpurple/protocols/mxit/formcmds.c

~~--- a/ChangeLog Sun Jun 12 22:11:59 2016 -0500~~

+++ b/ChangeLog Sun Jun 12 22:13:22 2016 -0500

@@ -31,6 +31,8 @@

* Fixed a remote denial of service vulnerability that could result in

a null pointer dereference. Discovered by Yves Younan of Cisco Talos.

(TALOS-CAN-0133)

+ * Fixed a remote denial of service that could result in an out-of-bounds

+ read. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0134)

version 2.10.12 (12/31/15):

General:

~~--- a/libpurple/protocols/mxit/formcmds.c Sun Jun 12 22:11:59 2016 -0500~~

+++ b/libpurple/protocols/mxit/formcmds.c Sun Jun 12 22:13:22 2016 -0500

@@ -522,9 +522,9 @@

const char* tmp;

const char* name;

int mode;

~~- int nr_columns = 0, nr_rows = 0;~~

+ unsigned int nr_columns = 0, nr_rows = 0;

gchar** coldata;

~~- int i, j;~~

+ unsigned int i, j;

/* table name */

name = g_hash_table_lookup(hash, "nm");

@@ -550,6 +550,12 @@

coldata = g_strsplit(tmp, "~", 0); /* split into entries for each row & column */

+ if (g_strv_length(coldata) != (nr_rows * nr_columns)) {

+ purple_debug_info(MXIT_PLUGIN_ID, "Invalid table data: cols=%i rows=%i\n", nr_columns, nr_rows);

+ g_strfreev(coldata);

+ return;

+ }

+

purple_debug_info(MXIT_PLUGIN_ID, "Table %s from %s: [cols=%i rows=%i mode=%i]\n", name, mx->from, nr_columns, nr_rows, mode);

for (i = 0; i < nr_rows; i++) {

@@ -557,6 +563,8 @@

purple_debug_info(MXIT_PLUGIN_ID, " Row %i Column %i = %s\n", i, j, coldata[i*nr_columns + j]);

}

+

+ g_strfreev(coldata);

}

pidgin/pidgin